Headline
CVE-2023-31913: Assertion 'context_p->scope_stack_size == PARSER_MAXIMUM_DEPTH_OF_SCOPE_STACK' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser_parse_class):1068. · Issue #5061 · jerryscript-project
Jerryscript 3.0 *commit 1a2c047) was discovered to contain an Assertion Failure via the component parser_parse_class at jerry-core/parser/js/js-parser-expr.c.
JerryScript revision
Commit: 1a2c047
Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
// poc.js class v0 { v1 = class v2 { } }
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js ICE: Assertion ‘context_p->scope_stack_size == PARSER_MAXIMUM_DEPTH_OF_SCOPE_STACK’ failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser_parse_class):1068. Error: JERRY_FATAL_FAILED_ASSERTION Aborted
Credits:
@Ye0nny, @EJueon of the seclab-yonsei.